Security Assessment for JLJ Information Technology Group
By John Jacobs
Table of Contents
Company Description 3
Management Controls 3
Operational Controls 4
Technical Controls 5
Concerns and Recommendations 6
JLJ Information Technology Group helps organizations of all sizes to successfully do business online. Their complete portfolio of technology services drives business effectiveness and profitability for many customers not only in the United States but also around the world.
The breadth of their offering extends from helping small businesses ...view middle of the document...
This organization has implemented an Information Security Program (ISP), which is a management system that represents the policies and controls implemented within an organization. Part of this program is effective because it provides both management and users with a detailed understanding of the goals, approach and implemented controls for securing the organization’s information assets, including but not limited to sensitive information (for example, personal information), but does not include risk assessment, risk treatment, and the implementation of security controls.
JLJ IT Group has policies in place to inform employees of the security controls that are in place and to provide information about how the company maintains it’s IT infrastructure. The policies state that upper management is responsible for ensuring that the correct security controls are in place and these policies must achieve compliance with the overall information security goals of the organization, which follow the NIST Special Publication 800-53A.
While reviewing JLJ IT Group’s Management Controls Security policies it was found that the company risk assessment policy was not written in enough detail to where it could be understood what requirements are to be implemented to carry out a minimum risk assessment. When interviewing the employees who performed Risk Assessments, it appeared that a large amount of training is needed on how to perform this task. This training must emphasis that if the NIST Special Publication 800-53A is to be truly followed by this organization then JLJ IT Group will have to be able to identify, quantify and prioritize risk against operational and control objectives and to design, implement, and exercise controls that provide reasonable assurance that the objectives of the company’s management controls will be met and that risk will be managed to an acceptable level. It does not appear that the company knows how to evaluate the impact and likelihood of potential threat, which include calculating the cost of a threat if one were to occur. When calculating cost, costs should be interpreted broadly to include money, resources, time, and loss of reputation among others. This policy also does not go into detail as to whom this policy applies to. It was also found that the JLJ IT Group has no system configuration program or documentation in place to track system changes.
Per the Federal Information Processing Standard 200 (FIPS 200), Operational Controls are security controls, i.e. safeguards or countermeasures for an information system that are primarily implemented and executed by people as opposed to systems.
In reference to the above definition, the question of “ Has a system security been developed and approved. The answer to that question was “yes” and a copy of the security plan was given for review. It was also found that the security plan every year or when there are changes made to the company’s security...